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Abstract 

When  a  computer  monitors  a  physical  process,  the  computer  uses 
sensors  to  determine  the  values  of  the  physical  variables  that  represent 
the  state  of  the  process.  A  sensor  can  sometimes  fail,  however,  and  in 
the  worst  case  report  a  value  completely  unrelated  to  the  true  physical 
value.  The  work  described  in  this  paper  is  motivated  by  a  methodology 
for  transforming  a  process  control  program  that  cannot  tolerate  sensor 
failure  into  one  that  can.  In  this  methodology,  a  reliable  abstract  sen¬ 
sor  is  created  by  combining  information  from  several  real  sensors  that 
measure  the  same  physical  value.  To  be  useful,  an  abstract  sensor  must 
deliver  reasonably  accurate  information  at  reasonable  computational 
cost. 

In  this  paper,  we  consider  sensors  that  deliver  multidimensional  val¬ 
ues  (e.g.,  location  or  velocity  in  3  dimensions).  Geometric  techniques 
are  used  to  derive  upper  bounds  on  abstract  sensor  accuracy  and  to 
develop  efficient  algorithms  for  implementing  abstract  sensors. 
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1  Introduction 

A  process  control  program  communicates  and  synchronizes  with  a  physi¬ 
cal  process.  Typically,  the  program  reads  values  from  the  physical  process 
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through  sensors  and  writes  values  through  actuators,  as  shown  schemati¬ 
cally  in  Figure  1.  This  paper  is  concerned  with  control  programs  tolerating 
failures  of  continuous- valued  sensors. 


actuator 


sensor 


Figure  1:  A  process-control  program 

In  an  earlier  paper  [6],  we  presented  a  methodology  for  writing  process 
control  program  that  can  tolerate  faulty  sensors: 

1.  A  specification  of  the  control  program  is  written  in  terms  of  the  state 
variables  of  the  physical  system.  For  example,  the  specification  of  a 
program  controlling  a  chemical  reaction  vessel  would  refer  to  a  variable 
T  whose  value  is  assumed  to  be  the  temperature  of  the  vessel. 

2.  Each  physical  state  variable  referenced  by  the  specification  is  replaced 
with  a  reference  to  an  abstract  sensor.  An  abstract  sensor  is  a  set 
of  values  that  contains  the  correct  value  of  the  physical  variable  of 
interest.  Uncertainty  in  sensor  values  now  becomes  an  issue,  and  the 
specification  must  be  re-examined  and  possibly  changed  to  accommo¬ 
date  it. 

3.  The  control  program  is  written  based  on  the  specification  produced  by 
Step  2.  This  program  reads  abstract  sensors  that  are  assumed  to  al¬ 
ways  contain  the  correct  value  of  the  corresponding  physical  variables. 

4.  For  each  abstract  sensor  referenced  by  the  program  written  in  Step  3, 
a  set  of  abstract  sensors  that  fail  independently  are  constructed.  Each 
abstract  sensor  is  implemented  using  a  concrete  sensor,  which  is  a 
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physical  device  that  “reads”  a  physical  variable,  such  as  a  thermome¬ 
ter.  This  step  will  require  some  knowledge  of  the  physical  process 
being  controlled  as  well  as  the  specification  of  the  concrete  sensor. 

5.  A  fault-tolerant  averaging  function  is  used  with  these  replicated  ab¬ 
stract  sensor  values  in  order  to  calculate  another  abstract  sensor  that 
is  correct  even  if  some  of  the  original  sensors  are  incorrect.  The  av¬ 
eraging  algorithm  assumes  that  no  more  than  /  out  of  the  n  abstract 
sensors  are  incorrect.  The  relation  between  n  and  /  depends  on  the 
way  sensors  can  fail. 

The  resulting  system  will  have  a  structure  like  that  shown  in  Figure  2. 


abstract  concrete 

sensor  sensor 


Figure  2:  Replicated  sensors 

Step  5  in  the  above  methodology  is  an  example  of  masking  failures 
through  redundancy  [ll].  In  fact,  the  fault- tolerant  averaging  function  pre¬ 
sented  in  [6]  is  a  generalization  of  N MR,  or  n -module  redundancy ,  whereby 
n  independent  copies  are  fed  into  a  majority  voter  [12].  For  both  nmr  and 
our  averaging  function,  up  to  /  =  signal  failures  can  be  masked. 

One  limitation  of  our  earlier  work  is  that  the  fault-tolerant  averaging 
function  of  [6]  is  applicable  only  to  sensors  that  measure  a  single,  indepen- 


3 


dent,  real  value.  An  example  of  a  sensor  that  does  not  fit  this  model  is  one 
that  measures  the  location  of  some  physical  object  in  3D  space.  If  such  mul¬ 
tidimensional  sensors  are  used  then  a  naive  approach  to  masking  failures  is 
to  consider  the  x  component  separately  from  failures  of  the  y  and  2  compo¬ 
nents,  but  doing  so  limits  the  accuracy  of  the  resulting  value.  For  example, 
any  sensor  found  to  be  faulty  by  examining  the  x  components  should  most 
likely  be  discarded  when  considering  the  y  and  2  components. 

In  this  paper,  we  extend  our  fault-tolerant  averaging  function  to  multidi¬ 
mensional  sensors.  We  derive  the  amount  of  replication  necessary  to  achieve 
fault  masking,  which  turns  out  to  be  a  function  of  the  number  of  possible 
failures  and  both  the  shape  and  number  of  dimensions  of  the  sensor  measure¬ 
ment.  We  also  discuss  efficient  algorithms  for  computing  the  fault-tolerant 
average. 

One  way  in  which  our  approach  is  unusual  is  that  we  apply  a  very  weak 
failure  model  to  sensor  failures.  This  failure  model — defining  a  fault  hier¬ 
archy  and  assuming  no  more  than  /  of  n  components  are  faulty — has  been 
applied  to  several  problems  in  distributed  systems  such  as  consensus  [8]  and 
reliable  broadcast  [1].  It  has  also  been  incorporated  into  a  methodology 
for  building  fault-tolerant  distributed  programs  [10,5].  In  contrast  to  our 
method  of  tolerating  sensor  failure,  the  more  typical  approach  models  the 
value  of  a  sensor  as  as  a  random  variable  and  then  convolving  several  mea¬ 
surements,  either  from  different  sensors  or  the  same  sensor  read  at  different 
times  [2].  Doing  so  posits  a  probability  distribution  function,  which  may  be 
too  strong  an  assumption.  One  of  the  goals  of  our  research  is  to  understand 
the  applicability  of  the  weaker  failure  model  to  continuous-valued  signals. 

The  paper  proceeds  as  follows.  In  Section  2,  we  present  our  failure  model 
for  sensors  and  describe  how  iaults  can  be  masked.  Section  3  summarizes  the 
relevant  results  from  [6].  Sections  4  and  5  extends  the  results  of  Section  3 
to  d-dimensional  rectangles  and  (/-dimensional  circles,  respectively.  Note 
that  the  results  on  circles  actually  hold  for  any  class  of  convex  shapes  in 
which  the  shapes  are  geometrically  similar  and  share  the  same  orientation 
(for  example,  squares  aligned  with  a  fixed  coordinate  system).  Section  6 
presents  discusses  bounds  for  some  special  cases,  and  Section  7  summarizes 
our  results 

2  System  Model 

We  distinguish  between  a  concrete  sensor ,  which  is  a.  device  that  reads  a 
physical  state  variable  and  an  abstract  sensor  which  is  a  set  of  possible 
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values  for  the  physical  state  variable.  Abstract  sensors  are  easier  to  reason 
about  than  concrete  sensors,  in  part  because  there  are  several  different  kinds 
of  concrete  sensors,  each  with  a  different  specification.  If  considered  as 
a  whole,  the  only  failure  model  one  can  impose  on  concrete  sensors  is  a 
probabilistic  one.  This  is  not  the  case  for  abstract  sensors,  as  discussed 
below.  Further  discussion  on  the  implementation  of  abstract  sensors  and 
their  use  in  specifications  can  be  found  in  [6). 

We  assume  that  abstract  sensors  have  the  following  properties.  Let  *, 
be  a  sensor  of  some  physical  variable  v.  A  measurement  s,  is  a  continuous 
set  of  values  that  conform  to  some  shape,  such  as  a  continuous  interval,  a 
rectangle,  a  sphere,  etc.  We  say  that  s,-  is  correct  if  it  is  not  too  inaccurate 
and  always  includes  the  value  of  the  actual  physical  variable.  More  precisely, 
for  some  upper  bound  acc  on  the  accuracy  of  Si, 

S{  correct  d=f  v  £  A  j,s,  |  <  acc 

where  |s,j  is  the  accuracy  of  s,-.  Thus,  an  abstract  sensor  can  fail  in  two 
ways:  it  can  fail  to  contain  the  true  value  or  it  can  report  a  region  so  large 
as  to  be  useless.  In  this  paper,  we  first  assume  such  large-region  sensors 
could  be  detected  and  discarded  by  preprocessing  the  abstract  sensor  data 
(n  and  /  would  have  to  be  adjusted).  We  relax  this  assumption  in  Section  G. 

Let  s,-  and  Sj  (i  j )  be  the  measurements  by  two  abstract  sensors  for  the 
same  physical  value  v.  If  s,-  and  s}  both  contain  the  correct  value,  then  the 
measurements  s,-  and  Sj  must  intersect,  and  their  intersection  must  contain 
the  (unknown)  value  v. 

Consider  a  set  S  =  {si,  s^, . . . ,  s„}  of  n  independent  measurements  of  the 
same  physical  value.  If  /  or  less  measurements  do  not  contain  the  correct 
value,  then  any  set  of  n  —  f  mutually  intersecting  measurements  may  contain 
the  correct  value  within  their  intersection,  since  they  each  share  a  common 
value.  Conversely,  any  point  not  contained  in  at  least  n  -  /  measurements 
cannot  be  the  correct  value;  if  it  were,  then  there  would  be  more  than  / 
faulty  sensors.  So,  the  cover  of  all  (n  —  f) -cliques  must  contain  the  correct 
value.  (An  (n  -  f) -clique  corresponds  to  a  value  where  at  least  (n  -  f) 
sensor  measurements  intersect.) 

We  have  one  further  constraint:  any  program  written  to  deal  with  a  sin¬ 
gle  measurement  assumes  that  the  sensor  delivers  a  region  of  some  expected 
shape  (e.g.,  rectangle,  sphere,  interval,  etc.),  so  we  require  the  cover  to  also 
have  this  same  shape.  This  constraint  allows  us  to  improve  a  program  based 
on  a  single  (unreliable)  abstract  sensor  by  changing  only  the  implementa¬ 
tion  of  the  sensor;  the  abstract  sensor  is  replaced  by  severed  abstract  sensors 
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whose  inputs  are  combined  to  produce  a  single  reliable  abstract  sensor.  The 
program  can  use  the  resulting  reliable  abstract  sensor  just  as  it  originally 
used  the  single  abstract  sensor. 

To  summarize,  we  have  the  following  goals  for  our  reliable  abstract  sen¬ 
sor: 

1.  It  should  be  guaranteed  (assuming  no  more  than  /  failures)  to  deliver 
a  region  containing  the  true  physical  value. 

2.  It  should  deliver  a  shape  that  is  within  the  same  class  as  the  shapes 
delivered  by  the  individual  abstract  sensors. 

3.  It  should  be  accurate.  In  other  words,  assuming  no  more  than  / 
failures,  it  should  deliver  a  region  that  is  not  significantly  larger  than 
a  region  that  might  be  delivered  by  a  single,  correct  abstract  sensor. 

4.  It  should  be  efficient  to  compute.  A  reliable  abstract  sensor  is  useless 
unless  it  can  be  computed  in  a  reasonable  amount  of  time. 

It  is  useful  to  define  JyiT1(S),  the  smallest  region  the  satisfies  goals  1  and 
2..  In  other  words,  If,n(S )  is  the  smallest  figure  of  the  correct  shape  that 
covers  all  (n  -  /)-cliques  in  5.  For  instance,  if  the  individual  sensors  report 
intervals  in  one  dimension  then  lj<n(S)  is  the  smallest  interval  that  contains 
all  the  (n  -  /)-cliques.  It  is  clear  that  the  (unknown)  true  value  v  is  a 
member  of  Xf,n(S)  as  long  as  no  more  than  /  measurements  are  faulty. 

Figure  3  illustrates  If<n(S)  for  measurements  that  are  rectangles.  The 
left-hand  figure  shows  four  measurements,  and  the  right-hand  figure  shows 
the  smallest  rectangle  that  covers  all  3-cliques  of  the  measurements. 

3  Linear  Sensors 

In  [6],  we  show  that  for  linear  sen,;-;rs  -  sensors  that  report  ID  intervals  - 
X j<n(S)  can  be  found  efficiently  and  that  for  /  <  f ,  Tf,n{S)  has  reasonable 
size.  The  upper  bounds  on  |I/.,,(S)|  are  stated  in  the  following  two  theorems. 
We  do  not  include  the  proofs  in  this  paper,  but  the  bounds  are  derived  by 
considering  interval  graphs  [4]. 

First,  we  need  some  notation.  Define  the  functions  min,-  and  max,  to 
be  the  ith  smallest  and  largest  values  of  a  set  of  n  values  respectively..  Note 
that  min,-  is  the  same  as  raax„.,+i .  For  example,  if  S’  =  {13, 14, 15}  then 
min3(S)  =  maxi(S)  =  15. 
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(a) 


0>) 


Figure  3:  X\^{S)  for  Rectangular  Measurements. 

Theorem  1  Let  S  be  a  set  consisting  of  n  intervals.  If  0  <  /  <  s.  then 
|I/,„(5)|  <  min2/+i{|s|  :  s  £  S}. 

Thus,  when  /  <  the  resulting  reliable  abstract  sensor  is  as  accurate 
as  one  of  the  original  sensors,  and  the  larger  n  -  f  is  (i.e.,  the  more  likely 
any  one  sensor  reading  is  correct),  the  more  accurate  Xf<n(S)  is. 

Xf<n(S)  can  also  be  computed  efficiently  -  in  0(n  log  n)  time  -  by  sorting 
the  endpoints  of  the  n  intervals  and  then  moving  through  the  endpoints  in 
order,  keeping  track  of  the  depth  at  each  instant.  Xf>n(S)  is  bounded  by  the 
smallest  and  largest  points  that  are  in  (n  -  /)-cliques.  Figure  4  illustrates 
this  algorithm.  The  hatched  areas  denote  the  points  that  are  in  3-cliques, 
and  the  lowest  interval  is  r2,5(S).  Note  that  according  to  Theorem  1,  the 
length  of  12,5 (S)  is  bounded  by  the  length  of  the  longest  interval  in  5, 
although  in  Figure  4,  it  happens  to  be  shorter  than  the  longest  interval. 

The  second  theorem  states  that  there  is  no  upper  bound  on  the  size  when 

/>!• 

Theorem  2  Given  a  set  {£i,f2,  of  n  lengths  and  f  <  /  <  n,  then 

for  any  length  A  >  max{£i,£2,...,f„},  there  exists  a  set  of  n  intervals  S  = 
{a i,3a,  ...,s„}  where  Vi :  1  <  i  <  n  :  |3,|  =  ii  and  |I/in(S)|  =  A. 

It  is  easy  to  see  that  an  equivalent  of  Theorem  2  holds  for  multidimen¬ 
sional  sensors  as  well  as  linear  ones.  If  over  half  the  sensors  have  failed  then 
Xf>n(S )  may  be  arbitrarily  large  regardless  of  the  dimension  of  the  sensor’s 
data. 
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Figure  4:  12,5(5)  for  Linear  Measurements. 


3.1  Multidimensional  Sensors  and  Projection 

The  ID  results  on  intervals  can  be  used  directly  to  give  results  for  multi¬ 
dimensional  sensors.  For  a  d-dimensional  sensor,  we  project  the  region  for 
sensor  measurement  Si  onto  each  of  the  d  orthogonal  axes.  We  now  have  d 
separate  ID  problems.  These  problems  can  be  solved  individually  and  then 
recombined  to  produce  a  d-rectangle,  which  we  call  the  projection  rectangle. 
There  are  several  possible  disadvantages  to  this  approach: 

1.  Information  may  be  lost.  For  example,  the  knowledge  that  a  sensor’s 
^-coordinate  cannot  possibly  be  correct  can  be  used  to  discard  the 
entire  measurement. 

2.  A  d-rectangle  is  not  necessarily  the  desired  shape.  For  example,  our 
abstract  sensor  may  be  required  to  report  a  circle. 

3.  The  size  of  the  resulting  sensor  may  be  larger  than  necessary  (for 
example,  see  Figure  5). 

In  fact,  projection  techniques  are  the  method-of-choice  in  some  situations 
(see  Section  4),  but  these  situations  depend  on  the  shapes  involved  and  the 
relationship  between  /  and  n. 

4  d-Rectangles  • 

If  Si  is  constrained  to  be  a  d-dimensional  rectangle,  then  another  upper 
bound  can  be  placed  on  the  size  of  lf<n(S). 
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(a) 


(b) 


Figure  5:  (a):  Three  rectangles  and  their  projection  onto  the  x  and  y  axes, 
(b):  is  the  crosshatched  region  and  the  projection  rectangle  is  the 

gray  region. 

Theorem  3  Let  S  be  a  set  consisting  of  n  d-dimensional  rectangles.  If 
0  <  /  <  53  then  |I/,„(S)|  <  min2(i/+i{|3|  :s€  S}. 

Proof.  We  use  a  counting  argument  to  show  that  2/in(S)  is  contained  in 
at  least  (n  -  2 df)  of  the  original  d-rectangles.  Assume  f  <  ■§}•  Choose  2d 
points,  one  from  each  of  the  2d  sides  of  Ij>n(S)  where  each  chosen  point  is  a 
member  of  an  (n  -  /)-clique.  These  points  must  exist  since  if  they  did  not, 
Ij,n{S)  could  be  reduced  in  size.  Call  this  set  P.  By  definition  of  ( n  -  /)- 
clique,  each  point  p  of  P  is  contained  in  at  least  (n- /)  d-rectangles.  Letting 
Rp  represent  the  set  of  d-rectangles  containing  p,  we  have  n  -  f  <  |1ZP|  for 
each  point  p  6  P.  If  we  sum  the  number  of  rectangles  containing  each  point, 
we  get 

2d 

2 d(n-f)  <  ^2  l-^pl  =  7>K rectangles  containing  exactly  i  points  of  P}|. 

pGP  i=1 

The  last  sum  can  be  broken  into  two  pieces:  the  part  due  to  d-rectangles 
that  contain  all  the  points  of  P  and  the  part  due  to  d-rectangles  that  contain 
fewer  points.  Let  a  be  the  number  of  d-rectangles  that  contain  all  2d  of  the 
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points  in  P ;  that  is,  the  rectangles  that  contain  Z/in(5).  The  number  of 
rectangles  remaining  is  n  —  a.  The  part  of  the  sum  due  to  the  d-rectangles 
that  contain  fewer  points  can  be  bounded  by  (2d  -  l)(n  -  a).  We  now  have 

2 d(n  -  /)  <  2 da  +  (2d  -  l)(n  -  a). 

Solving  for  a,  we  get  a  >  n  -  2df;  thus,  If<n(S)  is  contained  in  at  least 
(n  -  2 df)  d-rectangles  and  the  bound  of  the  theorem  follows  immediately. 
□ 

The  bound  on  /  given  in  the  theorem  is  tight.  Figure  3  shows  a  2D 
example  where  f  —  and  If<n(S)  is  larger  (in  area)  than  any  of  the  original 
rectangles.  Similar  examples  can  be  built  for  any  dimension  d. 

This  theorem  shows  that  the  increased  accuracy  comes  with  a  price:  if 
it  is  desired  that  |I/t„(S)|  be  at  least  as  accurate  as  some  measurement  in 
5,  then  the  amount  of  replication  needed  increases  quickly  (linearly)  with 
d.  For  example,  in  order  to  tolerate  a  single  failure  for  measurements  that 
are  3 D  rectangles,  a  sensor  must  be  replicated  at  least  7  times. 

4.1  Algorithms  for  Rectangles 

The  ID  algorithm  for  intervals  can  be  extended  to  handle  rectangles.  In  ID. 
we  move  from  left  to  right  across  the  intervals,  keeping  track  of  the  covering 
depth.  A  similar  sweeping  idea  works  for  2D:  we  move  a  vertical  sweep 
line  from  left  to  right  across  the  rectangles,  keeping  track  of  the  covering 
depth.  Note  that  this  depth  can  be  different  for  different  y-values,  so  depth 
information  must  be  kept  for  each  position  along  the  vertical  sweep-line. 
As  the  line  enters  or  leaves  a  rectangle  the  depth  information  is  updated. 
Using  a  naive  implementation,  this  update  takes  0(n)  time,  leading  to  an 
0(n2)  time  algorithm  for  computing  T/in(S).  Since  the  entire  boundary 
of  the  (n  -  /)-cliques  can  be  of  complexity  ft(n2),  this  might  appear  to 
be  the  best  time-bound  one  can  hope  for.  Note  though,  that  the  entire 
boundary  is  unnecessary;  we  need  only  determine  the  left,  right,  top,  and 
bottom  boundaries.  This  can  be  done  efficiently  by  using  Bentley’s  segment 
tree  (see,  for  instance,  [9])  to  keep  track  of  depth  information  along  the 
vertical  sweep-line.  Thus,  the  entire  computation  for  constructing  I/,n(5) 
can  be  done  in  O(nlogn),  including  the  initial  sorting  that  must  be  done 
in  preparation  for  both  the  sweep-line  (sorting  by  x-coordinate)  and  the 
segment  tree  (sorting  by  y-coordinate). 

Unfortunately,  this  technique  does  not  generalize  well  to  higher  dimen¬ 
sions.  The  2D  version  is  fast  because  we  can  make  use  of  the  segment  tree, 
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a  structure  that  allows  efficient  insertion  and  deletion  of  segments.  But 
higher- dimensional  analogs  -  allowing  insertion  and  deletion  of  rectangles, 
for  instance  -  are  not  correspondingly  efficient.  Thus,  as  the  dimension 
increases  the  time  bounds  become  prohibitively  large. 

There  is  however,  an  efficient  algorithm  that  reports  a  d-rectangle  (for 
any  dimension  d)  that  is  almost  as  good  as  the  minimal  d-rectangle  that  we 
desire.  This  uses  the  projection  technique  described  in  Section  3.1,  convert¬ 
ing  a  d-dimensional  problem  into  d  1-dimensional  problems.  The  results  of 
these  separate  ID  problems  are  combined  to  produce  the  projection  rectan¬ 
gle,  a  d-rectangle  that  is  guaranteed  to  be  of  reasonable  size.  The  algorithm 
is  based  on  the  following  theorem. 

Theorem  4  Let  S  be  a  set  consisting  ofn  d-dimensional  rectangles.  I/O  < 
f  <  j g  then  the  size  of  the  projection  rectangle  is  <  min2<f/+i{|s|  :  s  €  S}. 

Proof.  Each  d-rectangle  r  is  associated  with  exactly  d  intervals,  one  for  each 
axis;  these  are  the  intervals  found  by  projecting  r  onto  the  axes.  Let  Ir  be 
the  set  of  intervals  associated  in  this  way  with  d-rectangle  r.  For  each  axis, 
we  now  have  a  ID  problem  with  /  <  | 3.  By  the  proof  of  Theorem  3,  the 
ID  (n  -  /)-cliques  for  each  axis  are  contained  in  at  least  n  -  2/  intervals. 
Let  I  be  the  set  of  all  such  intervals,  at  least  n  -  2/  of  them  from  each  axis. 
If  we  sum  the  number  of  rectangles  over  all  intervals,  we  get 

d 

d(n-2/)<|I|  =  £i*|{r:|JPnI|  =  i}|. 

1=1 

The  last  sum  can  be  broken  into  two  pieces:  the  part  due  to  rectangles  that 
project  onto  a  member  of  I  for  all  axes,  and  the  part  due  to  other  rectangles. 
Let  a  be  the  number  of  d-rectangles  r  for  which  |/rnJ|  =  d\  that  is,  the  d- 
rectangles  that  contain  the  projection  rectangle.  The  number  of  rectangles 
remaining  is  n  -  a.  The  part  of  the  sum  due  to  these  remaining  rectangles 
can  be  bounded  by  (d  -  l)(n  -  a).  We  now  have 

d(n  -  2/)  <  da  +  (d-  l)(n  -  a). 

Solving  for  a,  we  get  a  >  n  -  2 df\  thus  the  projection  rectangle  is  contained 
in  in  at  least  n  —  2 df  d-rectangles  and  the  bound  in  the  theorem  follows 
immediately.  □ 

Note  that  the  projection  rectangle  can  be  computed  in  0(dn log  n)  time 
and  has  exactly  the  same  size  bound  as  I/in(S).  Thus,  if  our  goal  is  simply 
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to  create  an  abstract  sensor  that  is  at  least  as  accurate  as  some  measurement 
in  5,  the  projection  rectangle  is  as  good  as 

This  theorem  shows  that,  at  least  for  rectangles,  the  projection  rectangle 
can  be  used  to  define  an  reliable  abstract  sensor  with  all  the  desirable  prop¬ 
erties  that  we  have  specified.  The  projection  rectangle  is  either  the  same 
size  or  somewhat  larger  than  the  optimal  rectangle. 

5  d-Circles 

In  this  section,  we  show  that  circles  are  better  than  rectangles  in  the  sense 
that  the  bound  on  the  size  of  X /,n(S)  for  circles  grows  more  slowly  than  the 
corresponding  bound  for  rectangles.  We  also  show  that  circles  are  worse 
than  rectangles  in  the  sense  that  Xfifl(S )  is  more  difficult  to  compute  for 
circles  than  for  rectangles.. 

If  Si  is  constrained  to  be  a  d-dimensional  circle  (e.g.,  a  sphere  in  3D) 
then  the  following  upper  bound  can  be  placed  on  the  size  of 

Theorem  5  Let  S  be  a  set  consisting  of  n  d-circles.  If  0  <  /  <  gyy  then 
|Z>,n(S)|  <  min(d+1)/+i{|s|  :  s  £  5}, 


Proof.  We  use  a  counting  argument  to  show  that  Z/,„(5)  is  contained  in 
at  least  (n  —  (d  +  1)/)  of  the  original  d-circles.  Assume  /  <  grpy.  Choose 
a  set  P,  consisting  of  d  -f  1  points  such  that  each  point  is  a  member  of  an 
(rz  —  /)— clique  and  the  d+  1  points  pin  the  circle  Xjin(S).  (A  circle  is  pinned 
by  a  set  of  points  if  it  is  the  smallest  circle  that  includes  that  set  of  points.) 
These  points  must  exist  since  if  they  did  not,  Xj,n{S )  could  be  reduced  in 
size.  By  definition  of  (n  -  /)-clique,  each  point  p  of  P  is  contained  in  at 
least  (n  —  /)  d-circles.  Letting  Cp  represent  the  set  of  d-circles  containing 
p ,  we  have  n  —  f  <  \CP\  for  each  point  p  6  P.  If  we  sum  the  number  of 
circles  containing  each  point,  we  get 

d+ 1 

(d+l)(n-/)  <  ^2  \C?\  —  ^  l*Kcircles  containing  exactly  i  points  of  P}|. 
p£P  i= i 

The  last  sum  can  be  broken  into  two  pieces:  the  part  due  to  d-circles 
that  contain  all  the  points  of  P  and  the  part  due  to  d-circles  that  contain 
fewer  points.  Let  a  be  the  number  of  d-circles  that  contain  all  d  +  1  of  the 
points  in  P;  that  is,  the  circles  that  contain  I/,n(5).  The  number  of  circles 
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remaining  is  n  —  a.  The  part  of  the  sum  due  to  the  (/-circles  that  contain 
fewer  points  can  be  bounded  by  d(n  -  a).  We  now  have 

( d  +  l)(n  —  /)<((/  +  l)a  +  d(n  -  a). 

Solving  for  a,  we  get  a  >  n  —  (d  +  1)/;  thus,  2j<n(S)  is  contained  in  at 
least  n-(d+l)f  (/-circles  and  the  bound  of  the  theorem  follows  immediately. 
□ 

This  bound  grows  more  slowly  with  d  than  does  the  bound  of  Theorem  3. 
For  example,  in  order  to  tolerate  a  single  failure  for  measurements  that  are 
spheres,  a  sensor  must  be  replicated  at  least  4  times. 

This  theorem  applies  to  sensors  with  a  large  variety  of  shapes  -  not 
just  (simple)  circles.  Given  a  class  of  convex  shapes  in  which  the  shapes 
are  geometrically  similar  and  share  the  same  orientation,  the  shapes  can  be 
pinned  by  d  +  1  points  where  d  is  the  dimension  of  the  space.  This  property 
was  the  only  circle  property  used  in  the  proof  of  the  theorem;  thus,  the  same 
bounds  hold  for  any  such  class  of  convex  shapes. 

Algorithms  for  (/-circles  are  not  as  efficient  as  algorithms  for  (/-rectangles. 
Even  in  2D,  it  appears  that  to  find  the  (n  -  /)-cliques,  it  is  necessary  to 
build  the  entire  arrangement  of  n  circles.  Since  n  circles  can  have  fi(n2) 
intersections,  building  the  arrangement  must  take  time  ft(n2).  (The  incre¬ 
mental  algorithm  for  building  an  arrangemenc  of  circles  takes  worst- case 
time  0(nA4(n))  where  A4  is  an  almost-linear  function  related  to  Davenpo:v 
Schinzel  sequences  [3];  using  randomization,  the  arrangement  can  be  built 
in  expected  time  0(m-f  nlogrc)  where  m  is  the  number  of  intersections  [7].) 
Of  course,  we  can  replace  each  (/-circle  by  a  (/-square  that  contains  it  and 
use  the  rectangle  techniques,  but  this  may  produce  an  answer  less  accurate 
than  desired. 

6  Other  Results 

Improved  results  are  possible  if  sensors  are  known  to  report  (/-rectangles 
that  are  all  the  same  size  and  orientation.  In  this  case,  the  projection 
technique  can  be  used  to  create  a  reliable  abstract  sensor  which  reports  a 
d-rectangle  of  the  standard  size  in  O(dnlogn)  time  provided  /  <  f .  Note 
that  for  this  case,  the  required  relation  between  /  and  n  is  independent  of  d. 
This  better  bound  occurs  because  for  a  single  axis  each  projected  rectangle 
(i.e.,  each  interval)  is  exactly  the  same  size.  Since  /  <  by  Theorem  1 
there  is  a  single  interval  that  contains  all  the  (n  -  /)-cliques  for  an  axis. 
When  these  containing  intervals  are  recombined  to  create  the  projection 
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(a) 


(b) 


Figure  6:  (a):  Three  unit  circles,  (b):  Three  unit  circles  with  fourth  unit 
circle  in  center.  Note  Xi,3(S)  for  the  three  original  circles  extends  past  the 
central  unit  circle. 

rectangle  we  get  a  rectangle  of  the  same  size  and  orientation  as  the  original 
rectangles.  Note  that  he  projection  rectangle  may  not  correspond  to  any  of 
the  original  rectangles.  In  contrast,  for  identically  sized  circles,  the  smallest 
circle  covering  all  of  the  (n  -  /)-cliques  may  be  larger  than  the  initial  circles 
even  when  /  <  f .  An  example  of  this  case  is  shown  if  Figure  6.  Of  course, 
the  bound  in  Theorem  5  still  applies;  \lf<n{S)\  is  bounded  by  the  size  of  the 
initial  circles  when  /  <  ^yy. 

Theorems  3  and  5  apply  when  measurements  that  are  too  inaccurate  can 
be  detected  and  removed  in  a  preprocessing  step.  If  this  is  not  the  case,  then 
I/,n(S )  may  be  bounded  by  an  abstract  sensor  that  is  too  inaccurate.  The 
following  two  theorems  give  bounds  when  abstract  sensors  may  be  unde- 
tectably  inaccurate.  Note  that  in  this  situation,  a  faulty  sensor  can  contain 
the  correct  value. 

Theorem  6  LetS  be  a  set  consisting  ofn  d-rectangles,  and  letC  be  the  (un¬ 
known)  subset  of  S  that  are  correct.  Iff  <  yjyy  thenljin(S)  <  min(2<i_i)/+i{|s 
sec}. 

The  proof  of  this  theorem  is  simple:  from  Theorem  3, 

|Z),n(S)|  <  max„_2tf/{|s|  :  s  6  5} 
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For  |2),„(S)|  to  be  bounded  by  an  accurate  measurement,  we  must  have 
n  -  2 df  >  f  and  so  n  >  (2d  +  1)/.  The  worst  case  is  when  /  faulty 
measurements  are  the  most  inaccurate,  so 

|Z),n(S)|  <  min(2d_l)/+1{|s| :  s  <E  C) 

□ 

A  similar  proof  supports  the  following  theorem: 

Theorem  7  Let  S  be  a  set  consisting  of  n  d-circles,  and  let  C  be  the  (un¬ 
known)  subset  ofS  that  are  correct.  If  f  <  thenIf<n(S)  <  min^+i {|.s|  : 

sec}. 

We  have  also  looked  at  some  fast  approximation  techniques.  A  grid  of 
equal-sized  buckets  can  be  used  to  detect  (n-  f)~ cliques,  leading  to  a  linear¬ 
time  fault-tolerant  averaging  algorithm  at  the  cost  of  some  accuracy.  This 
technique  works  for  both  d-rectangles  and  d-circles,  but  is  more  accurate 
for  rectangles. 

7  Summary 

We  have  shown  how  several  abstract  sensors  (that  measure  the  same  mul¬ 
tidimensional  physical  data)  can  be  combined  to  produce  a  reliable  abstract- 
sensor.  This  process  can  be  done  efficiently  for  d-rectanlges,  reporting  a 
region  guaranteed  to  be  of  reasonable  size,  provided  f  <  jg  where  n  is  the 
number  of  sensors  and  /  is  the  number  of  sensors  that  are  faulty.  For  d- 
circles,  a  reliable  abstract  sensor  region  of  reasonable  size  exists  provided 
/  <  but  determining  this  region  is  considerably  less  efficient.  As  men¬ 
tioned  above,  the  results  on  size  bounds  for  circles  actually  hold  for  any  class 
of  convex  shapes  in  which  the  shapes  are  geometrically  similar  and  share  the 
same  orientation. 

The  following  table  summarizes  our  results: 


geometry 

n 

complexity 

comments 

linear 

2/  +  1 

O(nlogn) 

rectangles 

4/+1 

O(nlogn) 

d-rect  angles 

2  df  4*  1 

unacceptable 

with  I/,n(5 ) 

d-rectangles 

2  df  +  1 

0(dn  logn) 

with  projection  technique 

circles 

3/  +  1 

randomized 

d-circles 

(d+l)/+l 

unacceptable 

d-rectangles 

2/  +  1 

O(dnlogn) 

uniform  size 
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The  results  in  this  table  assume  that  the  goal  is  to  produce  a  reliable  ab¬ 
stract  sensor  whose  size  is  no  larger  than  that  of  a  single  individual  abstract 
sensor.  If  the  reliable  abstract  sensor  is  allowed  to  be  somewhat  larger, 
then  many  of  the  time  bounds  can  be  improved.  For  instance,  (/-circles  can 
be  approximated  by  (/-squares  in  order  to  produce  a  less-accurate  reliable 
abstract  sensor  in  time  0(dn  log  n)  by  using  the  projection  technique. 

Theorem  3  shows  bounds  on  the  size  of  a  reliable  abstract  sensor  for 
/  <  53  and  an  analog  of  Theorem  2  shows  that  for  /  >  j  the  size  of  an 
abstract  sensor  is  unbounded.  For  in-between  values  of  /,  53  <  /  <  5, 
reliable  abstract  sensors  are  of  bounded  size,  but  such  a  sensor  may  report 
a  (/-rectangle  significantly  larger  than  any  of  the  original  </- rectangles. 
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